The Internet of Things: FDA Releases Guidance on Securing Wireless Medical Devices -- What Medical Device Manufacturers Should Know

• FDA, responding to pressure to provide direction on wireless medical device security, has released guidance concerning the use of RF wireless technology in medical devices.  The Guidance contains FDA’s recommendations to wireless medical device manufacturers for securing these devices and complying with governing FDA regulations.
• Key takeaway:  FDA is now paying close attention to medical device manufacturers' (MDMs) wireless technology risk management procedures.  As failure to meet applicable FDA regulations could potentially lead to an enforcement action, MDMs would be wise to:
  • Choose their devices' RF wireless components and frequency of operation with device security firmly in mind,
  • Include device design features that support strong user authentication controls meant to restrict device access to authorized users only,
  • Provide sufficient wireless security information to device users, and be prepared to take corrective and preventative action if wireless related malfunctions do occur, and
  • Maintain documentation of their devices' wireless security related design features, production specifications, and quality control analyses.

The Internet of Things (i.e., physical devices that can connect to the internet wirelessly) is everywhere -- in cars, in household  appliances, even our bodies.  And while there are endless potential benefits to having smart wireless devices that can perform tasks more efficiently by accessing data about our preferences and needs, many fear that the proliferation of wireless physical devices poses a tremendous threat to our collective security and individual privacy.  Importantly, a variety of federal agencies are in that "group of the wary," and they have made clear that they are prepared to regulate the Internet of Things accordingly.  One such agency, the Food and Drug Administration (FDA), recently issued much sought after guidance focusing on the security of wireless medical devices:  “Radio Frequency Wireless Technology in Medical Devices: Guidance for Industry and Food and Drug Administration Staff,” (the Guidance).  The Guidance is available on FDA's website[1] and applicable to all medical devices that incorporate RF wireless technology.[2]

FDA published the Guidance amidst heightened public and governmental scrutiny of wireless medical devices.  The threat of “human hacking” – taking control of someone’s wireless medical device and modifying its functionality to cause harm – recently gained widespread public attention due to the death of Barnaby Jack.  Jack, a young, healthy, and well-respected research hacker, was found dead only days before he was to present his technique for hacking defibrillators and pacemakers at a Black Hat conference.  While Jack's work and untimely death set off a flurry of media coverage that introduced wireless medical device vulnerabilities to the general public, the issue had already captured the federal government’s attention.  In fact, well before Jack's death, the US Government Accountability Office released a report stating that the FDA had failed to provide sufficient guidance to medical device manufacturers (MDMs) on mitigating the security risks faced by wireless medical devices.  With both the public and other governmental agencies tapping their feet impatiently, FDA released the long called for Guidance and filled it with many agency recommendations for securing wireless medical devices.

In a two-part post, we will address those recommendations, marry them with relevant FDA regulations and prior FDA guidance, and create a general blueprint for MDMs seeking to remain in compliance with FDA regulations for securing wireless medical devices.  Part I (below) discusses wireless device quality control protocols that, according to the Guidance, wireless MDMs must implement to remain in compliance with FDA regulations, as well as FDA’s general recommendations for securing wireless medical devices.  Part II will provide a summary of  FDA’s more technical recommendations and suggest concrete action items for designing, manufacturing, and maintaining wireless medical devices in an era of enhanced FDA supervision.

PART I            

1.0 FDA Regulations Require Medical Device Manufacturers to Manage Wireless Technology Risks by Implementing a Variety of Controls

Despite the fact that the Guidance focuses primarily on FDA’s recommended mechanisms for securing wireless medical devices, its most important message maybe that an MDM's failure to implement certain wireless device quality control procedures constitutes a violation of FDA regulations.  According to the Guidance, the FDA regulation governing MDM device quality control systems (21 CFR 820) requires MDMs to take the following steps whenever they incorporate RF wireless technology into a medical device:

• Include risk analyses for RF wireless communications and control functions as part of their device design validation procedures
• Establish procedures and controls for wireless medical devices and their components, including components that were purchased separately and added to the device, that ensure the device and its components conform to specified design requirements related to known RF wireless risks
• Include analyses for possible trends in non-conformance information and complaints, such as reports of failures, which could include erratic or unexpected behavior of the medical device, in your procedures for implementing corrective and preventive action
• For any identified failure or malfunction of an RF wireless function:
  • Investigate its cause of and take action(s) to correct the problem and prevent its recurrence
  • Analyze production and repair records and other sources of quality data to determine the cause of the non-conformance
  • Verify or validate any corrective action and preventative action taken to ensure that such action is effective and does not adversely affect the finished product

The Guidance’s interpretation of what 21 CFR 820 requires of MDMs is not to be ignored.  Under the regulation, failure to comply with any of its provisions renders a device adulterated under the FDA Act.  Further, both the device and the person deemed responsible for the MDM’s failure to comply with 21 CFR 820 are subject to regulatory action, including recall (for the device) and heavy fines (for the person).

Finally, do not be fooled by the fact that the Guidance’s recommendations are technically non-binding.  Remember that these recommendations represent the steps FDA believes MDMs should take to meet their obligations under the FDA regulations governing MDMs’ quality control responsibilities (21 CFR 820).  Should something go wrong, failure to adhere to at least the spirit of these recommendations will almost certainly increase the pain stemming from any related FDA investigation or enforcement action.

2.0 General FDA Recommendations for Managing the Risks Associated With Wireless Medical Devices

FDA recommends that MDMs fully consider the risks associated with RF wireless technologies while determining which device functions should be made wireless and which device functions should employ wired connectivity. Careful consideration of these risks makes sense, as the failure of a medical device’s wireless functionality could (i) cause serious physical harm to the patient relying on the proper operation of the device, (ii) lead to the unlawful disclosure, acquisition, or use of confidential patient health information, or (iii) cause disturbances in the functionality of any health IT systems to which they are connected.

Accordingly, the Guidance provides that MDMs should address known wireless safety issues early in the device design and development process all the way through to the end of the device’s life cycle.  To accomplish this objective, manufacturers should the following components in their wireless risk analysis and management plan:

• Identification of the device’s assets, threats, and vulnerabilities
• Impact assessment of the threats and vulnerabilities on device functionality
• Assessment of the likelihood of a threat or vulnerability being exploited
• Determination of risk levels and suitable mitigation strategies
• Residual risk assessment and risk acceptance criteria

In addition, MDMs should consider the potential impact of unintended interference and purposeful attempts to disrupt a wireless medical device or an associated device network’s functionality.  They should also test the device’s wireless functionality in intended use environments where other RF wireless technologies will likely be located.  MDMs should also consider risks to other devices and patients whose wireless connections might suffer from, or be the source of, interference when considering possible adverse outcomes related to a device’s use of RF wireless technology.

2.1 FDA Recommendations for Securing a Device’s Wireless Signals and Wirelessly Transmitted Data

FDA recommends that wireless medical devices secure wireless signals and data at a level appropriate for (i) the risks presented by the medical device, (ii) the device’s environment of use, (iii) the type and probability of the risks to which the device is exposed, and (iv) the probable risks to patients from a security breach. 

Of course, wireless devices cannot appropriately secure wireless signals and data unless they are designed and manufactured with these capabilities.  Recognizing this, FDA also recommends that MDMs provide justification for their devices’ wireless security capabilities in their premarket submissions.[3]  According to FDA guidance, a wireless medical device has justifiable security capabilities where its security features allow users to deploy device-appropriate controls for (i) limiting access to trusted users only, (ii) ensuring the integrity of data transferred to or from the device, and (iii) protecting the device’s critical functionality after a wireless breach. 

Some specific wireless security controls listed in FDA guidance, draft guidance, and industry letters include:

For Limiting Access to a Device

• Employing a layered authorization model that differentiates device access privileges based on a user’s role (e.g., staff, caregiver, administrator)
• Requiring users to provide accurate authentication credentials – such as (i) user ID and password, (ii) smartcard, or (iii) biometric credentials – before they can gain access to the device
•  Implementing automatic timed user session log-offs appropriate for the use environment
• Avoiding use of “hardcoded” passwords (i.e. passwords that are the same for each device, difficult to change, and vulnerable to public disclosure)
• Requiring multi-factor authentication for users with privileged device access (e.g. administrators, service technicians, maintenance personnel) and limit public access to passwords for privileged device access
• Securing devices and their communication ports with physical locks to minimize tampering
•  Employing strong software/firmware update controls

For Ensuring the Data Integrity of a Device

• Using accepted encryption methods to secure the transfer of data to and from the device, including WiFi Protected Access (WPA2) for IEEE 802.11 technology
• Note: FDA recommends that wireless medical devices avoid using Wired Equivalent Privacy (WEP) or other older protocols for connecting to wireless networks
• Minimizing the device’s use of automatic connection features that will allow the device to connect to any available wireless network in the area (e.g., a discovery mode such as that available in Bluetooth™ communications)
• Restricting software or firmware code updates to authenticated code

For Protecting the Critical Functionality of a Device

• Implementing fail safe and recovery procedures that protect the device’s critical functionality after a wireless breach has compromised the device’s security
• Employing tracking procedures that allow security compromises to be recognized, logged, and acted upon quickly
• Providing methods for the retention and recovery of device configuration specifications by an authenticated system administrator
• Incorporate error control processes to assure the integrity of data that the device transmits wirelessly and to manage potential risks related to maximum delay of data transfer
• Implement interference mitigation techniques if you are planning to use a shared RF wireless frequency band performance (e.g., alarms, back-up functions, alternative modes of operation)

Note: FDA has expressed displeasure at the current state of device access controls (particularly those related to password protection) in the medical device industry.  Implementation and enforcement of strong password protection requirements and avoiding the use of hardcoded passwords, as well as providing direction to device users concerning same, should be relatively easy to implement and help to keep MDMs off FDA’s enforcement radar. 

So that's it for Part I.  Look out for Part II, where we will delve into FDA's more specific and technical recommendations for securing wireless medical devices.